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Amendments to the Claims 

The listing of claims will replace all prior versions, and listings of claims in the 
application. 

1 . (Currently Amended) A method for providing access management 
through use of a plurality of server machines associated with different locations, said 
method comprising the acts of: 

(a) receiving, at a first server machine of the plurality of server machines, an 
access request to access a secure item from a first client machine at a first location; 

(b) authenticating a user of the first client machine at the first location; 

(c) authenticating the first client machine; 

(d) upon successful authentication in steps (b) and (c), retrieving at the first 
server machine a user key permitting access to an encrypted header of the secured item, 
the encrypted header including access rules for the secured item; 

(e) permitting access to the secure item via the first location when said 
authenticating (b) and (c) are successful; 

(f) permitting access to the secure item via the first server machine when said 
determining (e) determin e s that th e us e r is p e rmitted permitting ( o) permits the user to 
gain access to the secure item from the first location; and 

(g) preventing access to the secure item via the first server machine when 
said d e t e rmining (e) det e rmin e s that th e user is not permitt e d permitting ( e) does not 
permit the user to gain access to the secure item from the first location. 
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2. (Currently Amended) The method as recited in claim 1, wherein said 
determining permitting (e) comprises: 

(el) obtaining access privileges associated with the user to determine at least 
permitted locations for the user; and 

(e2) determining whether the user is permitted to gain access to the secure 
item from the first location based on the permitted locations associated with the user. 

3. (Previously Presented) The method as recited in claim 1, wherein, when 
permitted by said permitting (e), allowing access to the secure item from the first 
location via the first client machine and the first server machine. 

4. (Previously Presented) The method as recited in claim 1, wherein, when 
permitted by said permitting (f), allowing access to the secure item from the first location 
via the first client machine and the first server machine. 

5. (Currently Amended) The method as recited in claim 1, further 
comprising the acts of: 

(h) preventing access to the secure item via any of the server machines other 
than the first server machine when said determining ( e ) determines that the user is 
permitt e d permitting (f) permits the user to gain access to the secure item from the first 
location. 
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6. (Currently Amended) The method as recited in claim 1, 

wherein said determining permitting (e) comprises determining whether the user 
is permitted to gain access to the secure item via the first client machine and the first 
server machine, and 

wherein said permitting (f) operates to permit the user to gain access to the secure 
item via the first client machine and the first server machine when said determining (d) 
permitting (e) determines that the user is permitted to gain access to the secure item via 
both the first client machine and the first server machine. 

7. (Currently Amended) The method as recited in claim 1, 

wherein said d e termining permitting (e) comprises determining whether the user 
is permitted to gain access to the secure item via the first server machine, and 

wherein said permitting (f) operates to permit the user to gain access to the secure 
item via the first server machine when said determining permitting (e) determines that 
the user is permitted to gain access to the secure item via the first server machine. 

8. (Currently Amended) The method as recited in claim 1, 

wherein said det e rmining permitting (e) comprises determining whether the user 
is permitted to gain access to the secure item via the first client machine, and 

wherein said permitting (f) operates to permit the user to gain access to the secure 
item via the first client machine when said d e t e rmining permitting (e) determines that the 
user is permitted to gain access to the secure item via the first client machine. 
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9. (Currently Amended) The method as recited in claim 1, further 
comprising the acts of: 

(h) preventing the user from gaining access to the secure item via any of the 
server machines other than the first server machine when said det e rmining permitting (e) 
determines that the user is permitted to gain access to the secure item from the first 
location. 

1 0. (Previously Presented) The method as recited in claim 9, wherein said 
preventing (h) of the user to gain access to the secure item via any of the other server 
machines comprises reconfiguring at least any of the other server machines that 
previously permitted the user to gain access to the secure item therethrough. 

1 1 . (Previously Presented) The method as recited in claim 1 0, wherein said 
permitting (f) of the user to gain access to the secure item via the first server machine 
comprises reconfiguring the first server machine to permit access by the user to the 
secure item via the first server machine. 

12. (Currently Amended) The method as recited in claim 1 1 , wherein said 
d e t e rmining permitting (e) comprises: 

(dl) (el) obtaining access privileges associated with the user to determine at 

least permitted locations for the user; and 
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(d2) (e2) determining whether the user is permitted to gain access to the 

secure item from the first location based on the permitted locations associated with the 

user. 

13. (Previously Presented) The method as recited in claim 1, wherein said 
permitting (f) of the user to gain access to the secure item via the first server machine 
comprises reconfiguring the first server machine to permit access by the user to the 
secure item via the first server machine. 

14. (Currently Amended) The method as recited in claim 1, wherein the 
secure item is a secured file, the secured file having a format that comprises a header 
including security information as to who and how th e s e cure item can b e accessed access 
to the secure item is permitted ; an encrypted data portion including data of the secured 
file encrypted with a file key according to a predetermined cipher scheme, and wherein 
the header is attached to the encrypted data portion to generate the secured file. 

15. (Previously Presented) The method as recited in claim 14, wherein the 
security information in the header of the secured file facilitates the restricted access to 
the secured file. 

16. (Previously Presented) The method as recited in claim 15, wherein the 
security information in the header of the secured file points to or includes the access 
rules and a file key. 
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17. (Previously Presented) The method as recited in claim 14, wherein the 
security information is encrypted with a user key associated with the user. 

18. (Previously Presented) The method as recited in claim 14, wherein the 
security information includes the file key and access rules to the restricted access to the 
secured file. 

19. (Previously Presented) The method as recited in claim 1 8, wherein the file 
key is retrieved to decrypt the encrypted data portion in the secured file when access 
privilege of the user is within access permissions by the access rules. 

20. (Previously Presented) The method as recited in claim 18, wherein the 
access rules are expressed in a markup language. 

21 . (Previously Presented) A method for providing access management 
through use of a distributed network of server machines, said method comprising the acts 
of: 

(a) receiving, at a first server machine of the plurality of server machines, an 
access request to access a secure item from a first client machine; 

(b) authenticating a user of the client machine; 

(c) authenticating the first client machine; 
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(d) upon successful authenticating in step (b) and (c), retrieving at the first 
server machine a user key permitting access to an encrypted header of the secure item, 
the encrypted header including access rules for the secure item; 

(e) retrieving access privileges associated with the user; 

(f) determining whether the user is permitted to gain access to the secure 
item via the first server machine based on the access privileges when said authenticating 
(b) and (c) are successful; 

(g) permitting access to the secure item via the first server machine when said 
determining (f) determines that the user is permitted to gain access to the secure item via 
the first server machine; and 

(h) preventing access to the secure item via the first server machine when 
said determining (f) determines that the user is not permitted to gain access to the secure 
item via the first server machine. 

22. (Previously Presented) The method as recited in claim 21, further 
comprising the acts of: 

(i) preventing access to the secure item via any of the server machines other 
than the first server machine when said determining (e) determines that the user is 
permitted to gain access to the secure item via the first server machine. 

23 . (Previously Presented) The method as recited in claim 2 1 , 

wherein said determining (f) further determines whether the user is permitted to 
gain access to the secure item via the first client machine, and 



Atty. Dkt. No. 2222.5390003 



- 9 - VAINSTEIN et al 

Appl. No. 10/075,194 

wherein said permitting (g) operates to permit the user to gain access to the 

secure item via the first client machine and the first server machine when said 

determining (f) determines that the user is permitted to gain access to the secure item via 

both the first client machine and the first server machine. 

24. (Previously Presented) The method as recited in claim 23, further 
comprising the acts of: 

(i) preventing access to the secure item via any of the server machines other 
than the first server machine when said determining (f) determines that the user is 
permitted to gain access to the secure item via the first server machine. 

25. (Previously Presented) The method as recited in claim 24, wherein said 
preventing (i) of access to the secure item via any of the other server machines comprises 
reconfiguring at least any of the other server machines that previously permitted the user 
to gain access to secure items therethrough. 

26. (Previously Presented) The method as recited in claim 25, wherein said 
permitting (g) of access to the secure item via the first server machine comprises 
reconfiguring the first server machine to permit access by the user to the secure item via 
the first server machine. 

27. (Previously Presented) The method as recited in claim 21, wherein said 
permitting (g) of the access to the secure item via the first server machine comprises 
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reconfiguring the first server machine to permit access to the secure item via the first 
server machine. 

28. (Currently Amended) The method as recited in claim 21 , wherein the 
secure item is a secured file, the secured file having a format that comprises a header 
including security information as to who and how th e secur e item can be access e d access 
to the secured file is permitted ; an encrypted data portion including data of the secured 
file encrypted with a file key according to a predetermined cipher scheme, and wherein 
the header is attached to the encrypted data portion to generate the secured file. 

29. (Previously Presented) The method as recited in claim 28, wherein the 
security information in the header of the secured file facilitates the restricted access to 
the secured file. 

30. (Previously Presented) The method as recited in claim 28, wherein the 
security information is encrypted with a user key associated with the user. 

3 1 . (Previously Presented) The method as recited in claim 28, wherein the 
security information includes the file key and access rules to the restricted access to the 
secured file. 
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32. (Previously Presented) The method as recited in claim 28, wherein the file 
key is retrieved to decrypt the encrypted data portion in the secured file when access 
privilege of the user is within access permissions by the access rules. 

33. (Previously Presented) The method as recited in claim 31, wherein the 
access rules are expressed in a markup language. 

34. (Previously Presented) A computer readable medium including at least 
computer program code for providing access management to secured content through use 
of a plurality of server machines associated with different locations, by a method 
comprising: 

receiving, at a first server machine of the plurality of server machines, an access 
request to access a secure item from a first client machine at a first location; 
authenticating a user of the first client machine at the first location; 
authenticating the first client machine; 

retrieving at the first server machine a user key permitting access to an encrypted 
header of the secured item, the encrypted header including access rules for the secure 
item upon authentication of the user and the first client machine,; 

determining whether access to the secure item via the first location is permitted 
when said computer program code for authenticating the first client machine and the user 
are successful; 
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permitting access to the secure item via the first server machine when said 
computer program code for determining determines that the user is permitted to gain 
access to the secure item from the first location; and 

preventing access to the secure item via the first server machine when said 
computer program code for determining determines that the user is not permitted to gain 
access to the secure item from the first location. 

35. (Previously Presented) A computer readable medium including at least 
computer program code for providing access management through use of a distributed 
network of server machines, said computer readable medium comprising: 

computer program code for receiving, at first server machine of the plurality of 
server machines, an access request to access a secure item from a first client machine; 

computer program code for authenticating a user of the client machine; 

computer program code for authenticating the first client machine; 

computer program code for retrieving at the first server machine a user key 
permitting access to an encrypted header of the secured item, the encrypted header 
including access rules for the secure item upon authenticating of the user and the first 
client machine; 

computer program code for retrieving access privileges associated with the user; 

computer program code for determining whether the access to the secure item via 
the first server machine is permitted based on the access privileges when said computer 
program code for authenticating the first client machine and the user are successful; 
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computer program code for permitting access to the secure item via the first 
server machine when said computer program code for determining determines that the 
user is permitted to gain access to the secure item via the first server machine; and 

computer program code for preventing access to the secure item via the first 
server machine when said computer program code for determining determines that the 
user is not permitted to gain access to the secure item via the first server machine. 

36. (Currently Amended) An access control system that restricts access to a 
secure item, said system comprising: 

a central server having a server module that provides overall access control; and 

a plurality of local servers, each of said servers including a local module that 
provides local access control, 

wherein the access control, performed by said central server or said local servers, 
operates to permit or deny access requests to secured items by requestors, and 

wherein, based on information stored in an encrypted header of a secure item a 
given requestor, permitted to access the secure item through one or more of said local 
servers, is only able to access the secure item using only a single one of said local servers 
or the central server such that the given requestor can is only permitted to access the 
secure item through at most one of said local servers at a time. 

37. (Previously Presented) The access control system as recited in claim 36, 
wherein said access control system couples to an enterprise network to restrict access to 
the secure item, which comprises a secured file, stored therein. 
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38. (Previously Presented) The access control system as recited in claim 37, 
wherein the access requests are at least primarily processed in a distributed manner by 
said local servers. 

39. (Previously Presented) The access control system as recited in claim 38, 
wherein when the access requests are processed by said local servers, the requestors gain 
access to the secured files without having to access said central server. 

40. (Currently Amended) The access control system as recited in claim 37, 
wherein the local module can be is a copy of the server module so any of the local 
modules can operate ind e pendent operate independently of said central server and other 
of said local servers. 

41. (Currently Amended) The access control system as recited in claim 37, 
wherein the local module can bo is a subset of the server module. 

42. (Currently Amended) The access control system as recited in claim 37, 
wherein access permissions for said local servers can bo is dynamically configured to 
pass a requestor from one of said local servers to another of said local servers, thereby 
enabling access control to be performed by the another of said local servers such as when 
the location of the requestor changes. 
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43. (Previously Presented) The access control system as recited in claim 37, 

wherein the secured files are secured by encryption of the secure item. 



44. (Previously Presented) The access control system as recited in claim 37, 
wherein the secure item are secured by encryption. 
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